How do I provision JIT Access to use contributor/owner rights on an azure resource?

Brian Smith 0 Reputation points
2023-05-02T12:47:29.9933333+00:00

We would like to implement Azure PIM like functionality for the Owners and Contributors on Subscriptions and Resource Groups. The goal is to allow Owners and Contributors (or any role that provides anything other than read access) to have to document a justification for use of any write operations similar to the JIT access. I do not see an Azure native way to accomplish this. How can this be configured?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,370 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,930 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,092 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vahid Ghafarpour 19,790 Reputation points
    2023-05-02T16:50:03.8433333+00:00

    Azure Privileged Identity Management (PIM) allows you to manage, control, and monitor access to resources within Azure. However, PIM does not provide the functionality you are describing out of the box.

    To implement the functionality you are describing, you could use Azure Policy to create a custom policy that requires justification for any write operations on subscriptions and resource groups. You could then assign this policy to the Owners and Contributors roles.

    The policy would evaluate every write operation and prompt the user for a justification before allowing the operation to proceed. The justification would then be logged for auditing purposes.

    To create this policy, you can use Azure Policy's "Deny" effect to block any write operations that do not include a justification. You can use the built-in Azure Policy definition "Audit write operations that don't include a justification" as a starting point, and modify it to meet your specific needs.

    Once the policy is created, you can assign it to the Owners and Contributors roles using Azure RBAC (Role-Based Access Control). You can also configure email notifications or alerts to be sent to designated administrators when a write operation is denied due to a lack of justification.

    Note that this approach requires some custom development work, but it can help you achieve the desired functionality.

    0 comments No comments